[Cryptography] Internet of Things and small cheap ASICs?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Oct 1 23:03:51 EDT 2014


Bill Cox <waywardgeek at gmail.com> writes:

>Personally, the Internet of Things seems to have a major security problem. I
>personally do not plan to hook my thermostat to the Internet any time soon,
>for example.  Can anyone point me to the best papers describing how to
>actually secure the IoT?

That question would take a small essay to answer (even defining IoT would take
a small essay, I'm going to map it to SCADA-like systems rather than a Twitter
feed to the LCD panel on your fridge), so I'll just reply with a few bullet
points to cover the main issues:

* The infrastructure is stuck at about the Windows 95 level of security, and
isn't getting any better.

* There's no obvious driver for improvement.  With Win95 (and NT) it was
global worms and the fact that you had one of these things on every desktop,
but if your thermostat reboots itself every now and then because it's part of
a botnet no-one will notice or care much.

* Availability and safety trump security in every case.  Having a hundred-ton
hydraulic press take someone's fingers off because of an expired certificate
(although I'm not quite sure how that particular case could happen) is a no-
no.

* After availability and safety comes cost.  Security comes in at about
position 100 in the feature priority list, with the first 80 slots being taken
up by "availability/safety".

* The security model for IoT (in the form of SCADA-like devices) has always
been not to hook them up to a WAN.  Unroutable serial protocols helped here.
For more recent devices, the security model is "block it at the firewall".

* Oh, and assume it's insecure by design.  You'll rarely be disappointed.

* To finally answer the question, see any work on securing things, the OWASP
guides, static source code analysis tools, a roomful of books on secure coding
and pen-testing, etc.

Peter.


More information about the cryptography mailing list